refactor(On-demand-Builds-CI)!: use pull_request_target instead of pull_request. (Acode-Foundation#1628)

* refactor(On-demand-Builds-CI)!: use pull_request_target instead of pull_request.

Important: `pull_request_target` makes the `on-demand-preview-releases-PR.yml` run from base repository with secrets and gives read/write permissions to `$GITHUB_TOKEN` (`secrets.GITHUB_TOKEN`). Unlike normal `pull_request` trigger that has explicit read-ONLY permissions for `$GITHUB_TOKEN`. Meaning secrets and permissions SHOULD BE NOW handled strictly!

Changes:

- checkout `${{ github.event.pull_request.head.sha }}` & sets `persist-credentials: false` to not persist tokens in local git config.
- Adds `skip_tagging_and_releases` input for nightly-build.yml Manual Runs (default: true)
- Adds `CODEOWNERS` file to protect nightly builds and on demand workflows, preventing pushes in PRs without reviews from Authors of the workflow.

* chore: remove `\n\n` from nightly release notes.

* revert(nightly-build): partial file - Acode-Foundation@2c37532

Revert: Acode-Foundation@2c37532

for: Acode-Foundation#1628 (comment) ( @peasneovoyager2banana2) as they did Acode-Foundation#1627 before. 
With All Respect!

* add(nightly-build): ref & persist-credentials

Author: UnschooledGamer

.github/CODEOWNERS

@@ -0,0 +1,6 @@
+.github/CODEOWNERS @Acode-Foundation
+
+# workflows
+.github/workflows/nightly-build.yml @unschooledgamer
+.github/workflows/on-demand-preview-releases-PR.yml @unschooledgamer
+.github/workflows/community-release-notifier.yml @unschooledgamer

.github/workflows/nightly-build.yml

@@ -1,3 +1,5 @@
+# Implement to use environment secrets someday, At the moment GH Actions doesn't support those in reusable workflows (ref: https://github.com/actions/runner/issues/1490)
+# at least that's what I found.
   name: Nightly Build
 
   on:
@@ -28,6 +30,12 @@
           value: ${{ jobs.build.result }}
 
     workflow_dispatch:
+      inputs:
+        skip_tagging_and_releases:
+          required: false
+          default: true
+          type: boolean
+          description: Skips Tagging & releases, since workflow_call isn't available for github.event_name, default is true
 
   concurrency:
     # Allow only one workflow per any non-`main` branch.
@@ -51,7 +59,7 @@
       permissions:
 #        contents write is needed to create Nightly Releases.
         contents: write
-        issues: write
+#        issues: write
         pull-requests: write
 
       outputs:
@@ -89,13 +97,15 @@
           uses: actions/checkout@v4
           with:
             fetch-depth: 0 # Required for tags
+            persist-credentials: false
+            ref: (inputs.is_PR && inputs.PR_NUMBER) && github.event.pull_request.head.sha || ''
 
         - name: Set up Java 21
           uses: actions/setup-java@v4
           with:
             distribution: 'temurin'
             java-version: '21'
-            cache: ${{ (github.ref == 'refs/heads/main' && 'gradle') || '' }}
+            cache: ${{ (!(inputs.is_PR && inputs.PR_NUMBER) && github.ref == 'refs/heads/main' && 'gradle') || '' }}
 
         - name: Set up Node.js
           uses: actions/setup-node@v4

.github/workflows/on-demand-preview-releases-PR.yml

@@ -1,7 +1,7 @@
 name: On Demand Preview Releases for PR
 #  avoids paths like .md, and anything in .github folder
 on:
-  pull_request:
+  pull_request_target:
     paths-ignore:
       - '!*.md'
 #      - '.github/**'
@@ -38,6 +38,9 @@ jobs:
         with:
           clean: false
           fetch-depth: 0
+          persist-credentials: false
+          # Checkout pull request HEAD commit instead of merge commit
+          ref: ${{ github.event.pull_request.head.sha }}
 
       - name: Remove Manually added PR Label
         if: |